23andMe to pay $30 million in U.S. settlement over data breach

23andMe will pay $30 million and provide three years of security monitoring to settle a lawsuit accusing the genetics testing company of failing to protect the privacy of 6.9 million customers whose personal information was exposed in a data breach last year.

The accord also resolves accusations that 23andMe did not tell customers with Chinese and Ashkenazi Jewish ancestry that the hacker appeared to have specifically targeted them, and posted their information for sale on the dark web.

A preliminary settlement of the proposed class action was filed late Thursday night in federal court in San Francisco, and requires a judge’s approval.

It includes cash payments for customers whose data was compromised, and lets customers enroll for three years in a program known as Privacy & Medical Shield + Genetic Monitoring.

In a Friday court filing, 23andMe called the settlement fair, adequate and reasonable.

1:58 DNA testing firm 23andMe used client samples for drug development

Citing its “extremely uncertain financial condition,” 23andMe also asked the judge to halt arbitrations by tens of thousands of class members, until the settlement is approved or they decide not to participate.

Get breaking National news

For news impacting Canada and around the world, sign up for breaking news alerts delivered directly to you when they happen.

Sign up for breaking National newsletter Sign Up

By providing your email address, you have read and agree to Global News' Terms and Conditions and Privacy Policy.

In a statement, 23andMe said it believes the settlement is in its customers’ best interest. It also expects about $25 million of the cost to be covered by cyber insurance coverage.

The breach began around April 2023 and lasted about five months, affecting nearly half of the 14.1 million customers in 23andMe’s database at the time. It was disclosed by 23andMe in an October 2023 blog post.

According to the company, the hacker accessed 5.5 million DNA Relatives profiles, which let customers share information with each other, and accessed information for another 1.4 million customers who used a feature called Family Tree.

Lawyers for the plaintiffs said the settlement addressed their clients’ main claims, and reflected significant risks of further litigation given 23andMe’s “dire” finances.

6:05 How DNA kits can connect your family tree and uncover history

The South San Francisco-based company lost $69.4 million on revenue of $40.4 million in the quarter ending June 30.

Co-founder and Chief Executive Anne Wojcicki has been trying to take 23andMe private, three years after it went public at $10 per share. Its shares have traded below $1 since mid-December.

The plaintiffs’ lawyers may seek legal fees of up to 25% of the settlement amount.

—Reporting by Jonathan Stempel in New York; editing by Jonathan Oatis